Flash loan attack nets attacker $370,000 from several sources
An attacker using the Avalanche blockchain successfully executed a attack impacting one and several other liquidity providers. The attacker made around $370,000 in USDC from the attack.
Nirvana Finance drained of $3.5 million
The Solana-based project, Nirvana Finance, was exploited by an attacker who used to drain the project of just under $3.5 million. The attacker took out a $10 million loan from the Solend project, used it to ANA tokens, swapped the ANA for $13.5 million, and then repaid the loan. The attack was similar to the attack on Crema Finance earlier in the month.
The attack caused the project's ANA token to plunge in value by 80%, and the project's NIRV stablecoin to lose its dollar peg, falling to $0.08. Nirvana Finance tweeted, "Please be advised: ANA has lost its collateral, and NIRV has lost its peg. Until the thief restores funds, these tokens will not have exchange value. Be very careful with trading NIRV & ANA, as they currently have no guaranteed value."
They also tweeted at the hacker, promising to stop investigating the hacker's identity and to pay a $300,000 "" in exchange for the funds back. They wrote, "You have not taken money from VCs or large funds — the treasury you have taken represents the collective hopes of everyday people."
The project had promised its users over 60% , and its Twitter account described ANA as "the balanced risk investment with adaptive yield".
Hackers steal $1.43 million from Omni NFT lending platform
Hackers used a attack to steal around 1,300 ETH ($1.43 million) from the NFT lending platform Omni. Omni allows users to borrow cryptocurrency against their NFTs.
Hackers used NFTs from the popular Doodles collection as collateral to borrow ETH, then withdrew all but one of the NFTs, allowing them to perform a re-entrancy attack. The attacker then laundered the funds using the Tornado Cash cryptocurrency .
According to Omni, only funds belonging to the platform that were being used for testing were taken by the attacker.
- "Hacker drains $1.4 million worth of ETH from NFT lender Omni", The Block
- Exploiter wallet on Etherscan
Hacker steals over $1.2 million from Inverse Finance, their second such exploit in under three months
A hacker was able to perform an enabled by to siphon crypto worth around $1.26 million from Inverse Finance. The loss to the protocol was higher, at around $5.8 million. The attacker has already moved most of the stolen funds to the Tornado Cash cryptocurrency .
Inverse Finance is a borrowing and lending protocol that was hit with a different oracle manipulation attack in early April, which resulted in a $15.6 million loss.
Flash loan attacks on "Feed Every Gorilla" token take $1.9 million
A attack on the "Feed Every Gorilla" (FEG) token swap pulled $1.3 million from the project, also tanking the token price by 80%. The project operates on both the Ethereum and BSC chains, and the attacker was able to use the exploit against the contracts on both networks. Shortly after the first attack, FEG was hit with a second flash loan attack that drained another $590,000 from the project.
Prior to these attacks, FEG had earned some notoriety from a May 2021 Vanity Fair article outlining an alleged scheme, titled "Inside the Rise and Fall (and Rise and Fall) of Shit Coins". Despite the bad press, much of the FEG community maintained that the article was a smear and nothing more than an attempt by the author to create . "You could literally take every token and this would apply to everyone..." wrote a moderator of the official FEG subreddit.
Saddle Finance loses more than $11 million to hack
An exploiter used a attack to pull 3,933 ETH (~$11 million) from the "decentralized automated market maker" Saddle Finance. Shortly after the attack, the hacker began moving the stolen funds through the Tornado Cash to launder the money.
Saddle Finance had lost money once before, hours after it launched in January 2021. An individual was able to arbitrage Saddle Finance for a profit of around $275,000.
- Tweet thread by PeckShield
- "Update on Saddle’s Launch", Saddle Medium
Deus Finance exploited for $13.4 million in the second hack in two months
The project Deus Finance was hit with a attack that netted the hacker $13.4 million. The loss to the protocol was likely larger than what the hacker was able to withdraw, though Deus announced that no users had been and that "the loss is on the protocol".
Deus had suffered a similar attack in March, with an attacker using a flash loan attack to steal more than $3.1 million. Deus reimbursed users who were liquidated in the incident.
According to Deus' CEO, the exploit in this incident was not the same one used in the previous attack. He wrote on Twitter that the exploit was "the first of its kind, a zero-day exploit on Solidly [decentralized crypto exchange] swaps".
Hacker pulls $1 million from defi project, then destroys contract without withdrawing the funds
An attacker targeted the ZEED projects, successfully using a attack to pull just over $1 million from the project. With the funds transferred to the attack contract, the hacker then called the contract's self-destruct function, making it impossible for the funds to ever be withdrawn. It's unclear if this was intentional and done as a sort of statement, or if the attacker intended to take the profit for themselves but forgot to do so before destroying the contract.
2omb and Redemption defi projects endure repeated flash loan attacks
Redemption provides the liquidity pools for 2omb, a Fantom-based algorithmic project with big promises: "What if you could invest in a golden goose? Something you can acquire that will actually print you more money to either invest or use?"
Starting on April 18, the projects were targeted with a series of attacks. The project faced a total of 267 flash loan attacks within one day, leading to major volatility in the ostensibly stable coin. In an impressive display of optimism, a project team member wrote, "This has caused a large price pump. (Also benefited with 3% more burned tokens in fees.) The outcome and intent of the person who has done this, is unknown and it may work in our favour, Do not panic, and do not buy or sell until stable." The attacker made a profit of around $190,000 from the attacks.
Beanstalk Farms stablecoin project loses $182 million to exploit
All my magic beans gone. An attacker successfully used a attack to exploit a flaw in Beanstalk Farms' stablecoin protocol, which allowed them to make off with 24,830 ETH (almost $76 million). The attacker then donated $250,000 to Ukraine before moving the remaining funds to Tornado Cash to .
Estimated damages to the project were higher than the amount the hacker was able to take for themselves — around $182 million. The $BEAN token, once pegged to $1, dropped to nearly 0. The project creator wrote in the Discord, "We are fucked. This project has not had any venture backing, so it is highly unlikely there is any sort of bail out coming." However, they were later slightly more optimistic, writing, "it may also be the start of something good... there may be a path forward. We don't want to comment on next steps until that path is at least visible to us" while reiterating that a bail-out was "highly unlikely". They also told members of their community that they had contacted the FBI about the theft.